Skip to main content

Malware Analysis of a Cryptocurrency Miner— Part 2

 Dynamic analysis

So in the last write up, I did a static analysis of a “Bitcoin miner”, so the next step in our analysis process is to do dynamic analysis.
In the dynamic analysis, we’ll execute the malware within a safe environment and monitor it’s process, file system, registry, and network activity.

Environment Set up

It goes without saying but we’ll need to ensure we have a safe environment set up before we execute the malware and have all the monitoring tools ready before execution. I’m using Oracle VirtualBox and I’ve set up 2 VMs in host-only mode.

Executing the malware

Now that the environment is set up, it’s time to execute the malware.

I first renamed the file from 02ca4397da55b3175aaa1ad2c99981e792f66151.bin to 02ca4397da55b3175aaa1ad2c99981e792f66151.exe
and the file icon changed from

to

So we can tell it’s designed to disguise itself as a folder to trick a user to double click it to open.

Now that’s running, let’s check process hacker:

We can see it has started running as process but after that, I don’t see much else.
I let it run for about 1 minute and then terminate it from the process hacker.
After that, we can start to review the logging we had setup but just to add, I didn’t see anything else visually, which is something I was expected (but at the same time I was keeping an eye for anything unusual) because we didn’t see any dll imports or exports to indicate the binary using a GUI.

Network logs

I like to first look through the Wireshark logging to see the calls it made:

Let’s take a quick glance at some of the calls made:
“tshark -r file.pcap -Y http.request -T fields -e http.host -e http.request.full_uri”

We can see it made a number of requests to .ru websites (remember from the static analysis we had seen some of these URLs) and they are all HTTP requests (port 80).

We can see communication occurring between the two VMs but there is no weighty traffic.

If we look through Wireshark and filter the source to be the windows VM we see the following:


We can see the binary has been sending a ‘GET’ request to ‘stafftest . ru’ and has been incrementing the first parameter by one and it changed the URL (the above screenshot shows the order of different URLs it was changing on every increment). We can tell that it has gone into a loop of ‘GET’ requests.
If we follow the TCP stream we see:

We can tell that the binary clearly doesn’t want an INETSIM HTML response, maybe that was the reason why it was in a loop because it did not get the response to meet it’s conditions.
A way for us to allow the binary to make a request safely to the internet is to set up a TOR proxy. This way the receiver won’t know the true source. (Another todo :) )

Ok, so after looking through it a bit more there wasn’t anything else the network logs revealed.

Procmon logs

So now let’s take a look through the process monitor logs we ran through Noriben.

Straight off the bat we see:
File Activity:
==================
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]
[CreateFile] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > %LocalAppData%\Microsoft\Windows\INetCache\IE\EA51LVPB\test[1].htm [File no longer exists]

This is normal as in the network logs we did see the binary make a ‘GET’ request to an a ‘test’ file, so it would have cached the file, which is normal, but we could say that since the binary did not get the file it was looking for, it removed it and kept trying (the loop we saw earlier).

Registry Activity:
RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix =
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = Cookie:
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = Visited:
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = 1
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = 1
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 1
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = 1
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = 1
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = 1
[RegSetValue] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = 0

Unfortunately, we can’t gather heaps of information from the RegSetValue, why it’s setting these values, I don’t know, why it did it twice (maybe it’s in a loop), I don’t know but it trying to change the values under the “ZoneMap” would indicate it is going to set the values to allow the domain of the mining service as “allow” so that it’s not blocked by the targets machine.

Network Traffic

[TCP] 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768 > 192.168.1.100:80
[TCP] 192.168.1.100:80 > 02ca4397da55b3175aaa1ad2c99981e792f66151.exe:1768

We’ve already analysed this TCP connection via Wireshark but it’s good to know we didn’t miss any other connections, like UDP.
Also, we can see that the binary has an open port on 1768. We did see in the imports section from PEstudio that uses “InternetConnectionA” (https://docs.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetconnecta) which is used for an open FTP and HTTP session, and from what we saw via Wireshark we know that it’s using it for a HTTP session waiting for the correct response from it’s “GET” request.

Ok, so we gained a hint of what the binary does thanks to dynamic analysis and what other techniques we could deploy if we were to execute it again (like use a TOR proxy).
But now we will need to dig deeper into the binary….

Comments

Post a Comment

Popular posts from this blog

Malware Analysis: Dissecting a Golang Botnet - Part 1

Introduction In this post, I walk through the process of analyzing a Golang-based botnet sample — specifically a variant of FritzFrog , a peer-to-peer (P2P) botnet known for brute-forcing SSH servers and spreading laterally across networks. The goal here is to share my steps, tools, and insights while preparing for a cybersecurity analyst role.  🐸 1. Downloading the Malware Sample I began by grabbing the malware sample from Da2dalus’ excellent GitHub repository of real-world malware: URL: FritzFrog Sample on GitHub To fetch the raw binary into my WSL environment, I used: wget -O botnet_malware_IM https://github.com/Da2dalus/The-MALWARE-Repo/raw/refs/heads/master/Botnets/FritzFrog/001eb377f0452060012124cb214f658754c7488ccb82e23ec56b2f45a636c859 📤 2. Transferring the Malware to the Flare VM (Windows) My analysis environment was running inside a Windows VM using FLARE VM . Since the malware was downloaded via WSL, I needed a way to securely transfer it to the Windows VM. First, ...
Post a Comment
Read more

Building my own write blocker

  Spoiler — It’s cheaper than buying one I was looking to buy a write blocker to do data recovery/forensics tasks but I quickly noticed that I was window shopping write blockers due to their cost. Some starting at £300, others that cost less were no longer being built or sold, maybe you could find a 2nd hand one with or without the wires. Most of these write blockers were industry standard, used by law enforcement but was it necessary for me to buy such an expensive write blocker….or is it possible to build my own….. So th e  research began, reading through articles, publications, and so on, and with the information gained, I felt that I could build my own write blocker. So what do I need: A Raspberry Pi A Linux distro. HDD/SSD to test the write blocker And to put the information I gained into practice Building the write blocker So, I brought a Raspberry Pi 4 Model B that came with a power supply, HDMI cables, 32GB SD card, a case, and some extras. ( https://www.okdo.com/c/pi-...
Post a Comment
Read more

Notes from a Linux command line course

 Recently I took a course on Linux command line and shell scripting, below are the notes I took which I decided to write into a blog to refer to for future reference (there's no way I could remember all of this in a single sitting) 1. Kernel vs Shell OS has 3 layers: Application layer - User apps, Daemons Shell - Command line interface. Kernel - Hardware management, memory management, I/O Handler, CPU, process management. Closest layer to the hardware The kernel controls and mediates access to hardware, for example, it schedules and allocates system resources like memory, CPU, disk etc. The shell works as an interface to access the services provided by the OS. We can further breakdown the layers into the following: User space - If you run a for loop etc, you are in user space. But when you want to perform an operation such as, write to the disk, for example, save a file, then it needs to talk to the kernel space. As the application can't directly talk to the hardware. Kernel sp...
Post a Comment
Read more